Secure Reusable Base-String in Quantum Key Distribution 
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Protecting secure random key from eavesdropping in quantum key distribution protocols has been 
well developed. In this letter, we further study how to detect and eliminate eavesdropping on the 
random base string in such protocols. The correlation between the base string and the key enables 
Alice and Bob to use specific privacy amplification to distill and reuse the previously shared base 
string with unconditional security and high efficiency. The analysis of the unconditional secure 
reusable base string brings about new concept and protocol design technique. 
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Quantum cryptography has received wide attention 
from people who pursue perfectly secure communication. 
Since the first quantum key distribution (QKD) protocol 
by Bennett and Brassard the BB84 QKD protocol, 
scientists have developed various techniques to improve 
its security and efficiency. Recently, unconditional secu- 
rity of BB84 QKD protocol have been achieved 0,11,11. 

Most QKD protocols focus on detecting and eliminat- 
ing eavesdropping on the random key by encoding it to 
the qubits with different bases. The choices of the bases, 
namely the base string likes an encryption key. Espe- 
cially in some recent works, the base string are shared 
before the protocol @, H, 0, H i, • 

So it is interesting 

to investigate how to protect such encryption key from 
eavesdropping. 

In this Letter, we explicitly prove how much uncondi- 
tional secure base string can be reused for the first time. 
The result not only increases the efficiency of quantum 
cryptography, but also contributes to the foundation of 
quantum information science and cryptography designs. 

Suppose Alice and Bob share a common and random 
base string. Then Alice encodes the qubits using this 
shared base string and sends them to Bob. Bob receives 
and measures the qubits in the bases determined by the 
shared base string. Under ideal situation, Alice and Bob 
can reuse the base string if no error is found in the check 
step. This kind of sharing is able to greatly increase the 
efficiency of quantum key distribution, because no qubit 
is wasted due to wrong choice of the measuring basis. 

However, practically the channel errors are unavoid- 
able. Eve may steal some information about the se- 
cret base string. However, we will prove that Alice and 
Bob can estimate and eliminate Eve's information on the 
base string by privacy amplification. The proof of our 
QKD protocol with shared and reusable base string is 
also based on the lemma Q that high fidelity implies low 
entropy and the similar reduction technique of Shor and 
Preskill [J] . But we extend the security analysis from one 
entangled pair to a block of two entangled pairs. This 
extension gives correlation between the error rates of the 



two entangled pairs. 

We start with the entanglement distillation QKD pro- 
tocol. Firstly, we can also suppose that the secret and 
random base string is also generated from another high- 
fidelity EPR pairs, denoted by the base pairs, namely, 
Alice and Bob both measure their qubits of the base 
pairs respectively in the Z-basis. Secondly, we let Alice 
and Bob postpone the measurements on the base pairs. 
Then Alice's random Hadamard transformation on the 
second qubit of each communicating pair is replaced by 
the controlled-Hadamard operation with her own qubit 
of one base pair as the source qubit and the second qubit 
of one communicating pair as the target qubit. Particu- 
larly, the control-Hadamard gate using the first qubit to 
control the second qubit is denoted as CHw 

Following the ideas above, we obtain the following pro- 
tocol: 



Protocol 1 Entanglement distillation 
with reusable shared base string 



QKD protocol 



1. Alice and Bob share 2n base EPR pairs in the state 

2. Alice prepares 2n communicating EPR pairs in 
the state |<!>+}® 2n , and groups each communicat- 
ing pair with one base pair to create 2n blocks. 
Fig. Q] shows the operations on one block in the 
protocol, in which the 1st and the 4th qubits form 
a base pair and the 2nd and the 3rd qubits form a 
communicating pair. 

3. In each block, Alice applies CH13, as shown in 
phase I of Fig. [TJ 

4. Alice sends the 3rd qubit of each block to Bob, as 
shown in phase 2 of Fig. Q] 

5. Bob receives the qubits. In each block, he applies 
CH43, as shown in phase 3 of Fig. [T] Then he 
publicly announces the reception. 
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FIG. 1: Entanglement distillation QKD protocol with 
reusable base string in a block of two EPR pairs 



6. The following steps are post-processing procedure. 
Alice and Bob randomly permute the blocks and 
agree on n random blocks out of the 2n blocks as 
check blocks. 

7. In each check block, Alice and Bob both measure 
their own qubits of the communicating pairs in Z- 
basis, and publicly compare their results to obtain 
the channel bit error rate e. If there are too many 
errors, they abort the protocol. 

8. By estimating the bit error rate on the communi- 
cating pairs in the code blocks from the checking 
process, Alice and Bob apply an entanglement pu- 
rification protocol(EPP) to distill m communicat- 
ing pairs with high fidelity from the n corrupted 
communicating pairs. Then they measure them 
both in Z-basis to establish an m-bit secret key. 

9. Alice and Bob can also estimate the phase error 
rate on the base pairs in all blocks as not greater 
than 2e. Then Alice and Bob apply another EPP 
to distill 2m' base pairs with high fidelity from the 
2n corrupted base pairs. Then they measure them 
both in Z-basis to establish a 2m'-bit secret base 
string. 

The key point to prove the unconditional security of 
Protocol [1] is the estimation of the error rates on the two 
kinds of the EPR pairs, shown in step 8 and 9. When the 
channel is noisy, we suppose without loss of generality the 
errors of the channel all come from Eve's manipulation 
of the quantum system. Assuming that Eve can perform 
arbitrary coherent attack on all blocks. Here we apply 
quantum de Finetti representation [ll[ , and we only con- 
sider the asymptotic situation of large n. Thanks to the 
random permutation of the blocks in step 6 of Protocol[TJ 
the 2n blocks are exchangeable and satisfy the condition 
of quantum de Finetti representation. Therefore, the fi- 
nal state of the total 2n blocks is a mixture of product 
state, namely, the density matrix of the final state is 



Pall 



Pp'P 



I02n 



dp', 



(1) 



in which p' is chosen from any possible corrupted density 
matrix of one block and p p i is its weight. Due to the 
linear sum of different p'® 2 ™ in the final density matrix, 
the results of any measurement on p' all are also the linear 
weighted sum of measurement results on different p'® 2 ™. 
So we can restrict our analysis within one possible value 
of//. 

Considering the case with one possible value of p' , we 
find that the results of measuring any operator on each 
block of the final state are effectively an independent and 
identical distribution. The bit and phase error rates of 



the base pairs, denoted as E^ se and E% ase , and the bit 
and phase error rates of the communicating pairs, de- 
noted as E^' mm and EP^ mm , are the rates of obtaining 
— 1 when measuring Z\Z±, X1X4, Z2Z3 and A2X3 re- 
spectively in the blocks. Because all these four measure- 
ment operators are commute to each other, we are able 
to apply classical probability here. By the central limit 
theorem, all these error rates are equal to the expected 
values of measurement results of corresponding operators 
in one block, with very large probabilities. As a result, 
we can only analyze the error rates of one block in one 
possible state of p'. 

When we only study one block, the initial state is po 
defined as 



Po = l^oX^o I, 



(2) 



where |V>o} = |(|00> + |11» M ® (|00) + |11» 23 . Any 
possible final state, p' , is obtained by arbitrary operation 
of Eve. A general operation of Eve can be described 
by a superoperator on the 3rd qubit in each block 
which is transmitted via the channel. We denote the 
superoperator as §. Then from the protocol, we obtain 
that 



p' = CH 43 §(CH 13Po CHl 3 )CHt 3 



(3) 



A general superoperator of Eve's operation is described 
as 



(4) 



in which p\ — CHi^p^CH^ and M M is an arbitrary ma- 
trix acting on the 3rd qubit, namely, 
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(5) 



Due to the linearity of the superoperator, we first cal- 
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culate the error rates on each M M . The results are 
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Therefore, by using the linearity of Eq. (TTJ) and ([4}, 
we obtain the relationship between the four kinds of error 
rates, namely, 



E ph = E 
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(12) 
(13) 



To interpret the above results, we note that the 
controlled-Hadamard operations serves as the random 
Hadamard operations, which make the bit and phase er- 
ror rates of the communicating pairs symmetric. As no 
qubit of the base pairs are transmitted through the chan- 
nel, their bit error rate is 0, while their phase error rate 
is the result of the propagation of errors on the commu- 
nicating pairs. 

Moreover, because Alice and Bob only need to know 
Ecommi E 'comm can t> e best estimated from the compar- 
ison of the Z-basis measurement results of n check com- 
municating pairs, in step 7 of Protocol [TJ as well as the 
channel bit error rate e. Thus knowing the bounds of 
the error rates, Alice and Bob can employ two EPPs on 
the communicating and base pairs respectively, shown in 
step 8 and 9. If both EPP are successfully, they will 
distill both high-fidelity base and communicating EPR 
pairs which implies low entropy of Eve's information 0. 
Therefore, not only secret shared key is established but 
also secret base string can be reused in the future, after 
Z-basis measurements on these pairs. Note that no base 
pairs are sacrificed in the checking process so total 2n 
base pairs can be used in EPP. 

So far, we have shown the unconditional security of 
Protocol [TJ Our final goal is to derive a prepare-and- 
measure protocol with reusable shared base string from 
Protocol [TJ The reduction lies on the fact that some of 
the final Z-basis measurements in step 8 and 9 commute 
to other operations and measurements in the protocol, 
and that can be brought forward to the beginning of the 
protocol without affecting the security [U . 

Firstly, both Alice and Bob's final measurements on 
both pairs can be brought before the error correct- 
ing procedure in step 8 and 9. If we use EPP with 
one-way classical communications, the result effectively 



changes the EPP to error correction with Calderbank- 
Shor-Steane(CSS) codes [1] on single qubits. A CSS Code 
Q(Ci,C2) employs two classical linear code C\ and C2, 
in which C\ and C2 are used for correcting bit and phase 
errors respectively and C2 C C\ 13]. Moreover, because 
the bit error rate on the base pairs is always 0, we only 
need C2 to correct the base pairs. 

Secondly, Alice's final measurements commute with 
the controlled-Hadamard gates applied in step 3. It can 
be also verified that Bob's final measurements on the base 
pairs commute to the gates in step 5. 

Thirdly, no measurement of the phase error rates are 
required, because we have proved that the upper bounds 
of the two kinds of phase error rates can be estimated us- 
ing the channel bit error rate e. Thus Alice and Bob's fi- 
nal measurements commute to the measurements in step 
7. 

Finally, we have successfully brought Alice's final mea- 
surements to the beginning of Protocol [TJ We are also 
able to bring Bob's final measurements on the base pairs 
to the beginning of the protocol, and to bring those on 
the communicating pairs to Bob's reception of the qubits. 
We summarize the result of the equivalent transforma- 
tions as the following protocol. 

Protocol 2 BB84 QKD protocol with reusable shared 
base string 

1. Alice and Bob share 2n-bit binary base string b. 

2. Alice prepares 2n qubits. If the corresponding bit 
value of b is 0, she randomly prepares the qubit 
in |0) or |1); otherwise she randomly prepares the 
qubit in |+) or |— ). 

3. Alice sends the qubits to Bob. 

4. Bob receives the qubits and immediately measure 
them in certain basis according his b. Then he pub- 
licly announces the reception. 

5. Alice and Bob agree on n qubits as check qubits. 
The rest n qubits are code qubits. 

6. Alice and Bob publicly compare the bit values on 
the check qubits and obtain the channel bit error 
rate e. If there are too many errors, they abort the 
protocol. 

7. Alice and Bob select a CSS code Q(Ci, C2) that are 
capable of correcting both bit and phase errors on 
the code qubits, which are both e. They employ C\ 
to correct the bit errors in the measurement results 
of the code qubits. Then they use the cosset of the 
corrected results to C2 as the final key. 

8. Alice and Bob select another linear code C' 2 that 
are capable of correcting the phase errors on the 
hypothetic base EPR pairs represented by 6, whose 
rate is at most 2e. They use the cosset of b to C' 2 
as final reusable secret base string. 



4 




0.05 0.1 0.15 0.2 0.25 



FIG. 2: The generation rates of final secure key(solid line) 
and base string(dashed line) 



Now we analyze the rates of generating random key 
and reusable base string. The maximal achievable gen- 
eration rate of the final secure key [!, [3] is 

R k (e) = 1 - H(E% mm ) - H(Et mm ) = 1 - 2ff(e),(14) 

in which H{x) = — xlog 2 x — (1 — x)log 2 (l — x). The 
length of the final key is nR k . Similarly, if 2e < 0.5, the 
maximal achievable generation rate of the final reusable 
base string [4} is 



Rb(e) 



1 



H{E™ e )-H{Elt e )<l-H{2e). (15) 



The length of the final reusable base string is 2nRf,. Wc 
plot these two rates on Fig. [2] We find that the maximal 
error rate that gives non-zero generation rate of the base 
string is 25%, much larger than that of the key of about 
11%. 

Suppose Alice and Bob initially share a 2n-bit base 
string, they use it to encode 2n qubits in Protocol [H Af- 
ter the error correction and privacy amplification, they 
get ni?fe(ei)-bit key and the 2ni?f,(ei)-bit base string re- 
mains. Then they use the base string again to encode 
2nRb(ei) qubits in the next protocol and obtain another 
ni?f,(ei)i?fc(e2)-bit key; the remaining base string be- 
comes 2nRb(ei) Rb{&2) ■ In this way, they repeat Protocol 
[5] again and again. If the channel bit error rate does not 
change, the total length of key generated from the initial 
2n-bit base string is 



Li 



nR k {e)(l + R b (e) + R b (e) 2 + 



nR k (e) 



Rb(e) ' 
(16) 



We also plot Lk/(2n) on Fig. [3] and find that if the 
channel bit error rate is low enough, a small length of 
initial base string can generate much longer random key. 



In conclusion, we have shown that if Alice and Bob first 
share a secret base string and use them in BB84 QKD 
protocol to encode the qubits, they are able to reuse this 
shared information in the future by the distillation of 
the base string using certain privacy amplification meth- 
ods. In particular, in the part of the qubits successfully 
received by Bob, the generation rate of the base distil- 
lation is also related to the channel bit error rate, and 

L k / (2n) 
40 
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FIG. 3: Lk I (2n) verse the channel bit error rate e 



higher than that of the key distillation. Furthermore, as 
the bit error rate of the base string is zero, we need only 
use a classical linear code instead of CSS codes to distill 
the base string, so the distillation is much simpler and 
more efficient. Secure reusable base string is contrasting 
different, and it may lead new strategy in protocol de- 
signs in quantum cryptography, hence contributes to the 
foundation of quantum information science. 
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